[German]What can I do as an Exchange Server administrator in light of the ongoing waves of attacks on ProxyLogon vulnerabilities? What do I need to be aware of? How do I find out if instances are already compromised? The repository is intended to provide guidance for Exchange administrators to quickly get to the most important information.
The Exchange mass hacking by the Hafnium group as well as the issue surrounding ProxyLogon vulnerabilities is sending shockwaves through the Microsoft ecosystem. Currently, at least ten threat actors are exploiting the vulnerabilities and attempting to compromise Exchange servers that are accessible via the Internet. Everything from installing crypto miners, stealing information or penetrating Active Directory structures to distributing ransomware is involved. The issue will be with us for a long time. Anyone responsible for Exchange servers is faced with the question: How to secure the installations and am I already compromised?
Identify Exchange servers and disconnect them from the network if necessary
The first step is to ensure that all on-promise Exchange servers (versions 2010, 2013, 2016 and 2019) in the corporate structure are known and their locations identified. It should also be checked whether the Exchange server in question can be reached via port 443 via the Internet – and if so, whether it has been secured by appropriate measures (reverse proxy with protective measures, etc.). If not, it is recommended to disconnect the Exchange Server from the Internet, at least temporarily.
Palo Alto states here that the first attack requires the ability to establish an untrusted connection to Exchange Server port 443. Administrators can protect against this by restricting untrusted users from accessing the system. This can be accomplished by allowing administrators to allow access to the system only from users who have already authenticated through a VPN, or by using a firewall to restrict access to specific hosts or IP ranges. Using this mitigation only protects against the first part of the attack. Other parts of the chain can still be triggered if an attacker already has access to the network or can convince an administrator to open a malicious file.
Next, all logs must be backed up in order to be able to prove and trace a compromise in the first place, if necessary.
Is the Exchange Server compromised?
An unpatched Exchange server that is accessible via the Internet via port 443 (and otherwise unprotected) is likely to have been compromised by now by a webshell as a backdoor or other malware. Following the above measures, it is therefore recommended to check whether the machine is already compromised. Problem is, these vulnerabilities have been under attack since (possibly) January 3, 2021. So how do I find out if the server is already infected?
- In the article HAFNIUM targeting Exchange Servers with 0-day exploits, Microsoft has compiled some information on how the attack of the Hafnium group works and what signs about a compromised systems may be there.
- Microsoft provides some PowerShell scripts on this GitHub page, which can be used for automated testing. Especially the PowerShell script Test-ProxyLogon.ps1 can give a first quick hint if Hafnium was active. However, there are reader reports that the script runs into errors with Exchange Server 2010 – and it probably only detects hafnium activity.
- The security researchers from ESET have in the blog post Exchange servers under siege from at least 10 APT groups taken the story thing a bit further and shed light on the traces of different attacker groups.
- Palo Alto advises in this article to scan the system for suspicious process and system behavior, especially related to Internet Information Service (IIS) and Exchange application processes, such as PowerShell, command shells (cmd.exe) and other programs running in the applications' address space.
Attention: Microsoft has built in a detection of the malware in Defender and also extended the Microsoft Support Emergency Response Tool (MSERT) with security information to detect the hafnium attack (see my blog post Microsoft MSERT helps to scan Exchange Servers). However, based on current knowledge, I would rather advise "hands off MSERT", because a scan is likely to remove the infection and thus the traces for analysis without ensuring complete cleanup. It would be conceivable to use the /N parameter for a read-only scan. However, the following pitfalls remain.
German security researcher Stefan Kathal pointout out a DLL hijacking vulnerability in MSERT, so that an unsophisticated administrator unknowingly helps a malware to gain administrator rights.
Last issue: Thee tool reports x infections, but in the end the MSRT declares the system as clean. The log files are also empty, so the tool drives admins into a heart attacks. More details are described in the article Update on ProxyLogon hafnium exchange issue (March 12, 2021).
Is an infection detected? A rebuild of the Exchange Server is recommended. But take cared: In case of doubt, a forensics expert would have to be called in to check what has been compromised and what information has already been extracted – and whether Active Directory structures have already been touched.
An infection may also have to be reported to the responsible data protection authority, as the process may be relevant to the European GDPR.
Patch your Exchange Server
Once the above issues are resolved, ensure that Exchange instances are patched against the known vulnerabilities CVE-2021-27065, CVE-2021-26855, CVE-2021-26857 and CVE-2021-26858 through security updates.
- For Exchange Server on with latest cumulative update, Microsoft has released security updates for all supported versions – see Microsoft's post Released: March 2021 Exchange Server Security Updates. For an overview, see the blog post Exchange server 0-day exploits are actively exploited.
- For Exchange Servers that are still on an older patch level with regard to cumulative updates, Microsoft has in the meantime also issued special security sudpates – see Microsoft's article March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server. However, these updates only affect vulnerabilities that became public in March 2021.
Although Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, Microsoft has released a patch for CVE-2021-26857 for that version of the software. Once again, here is the list of recent updates:
- Exchange Server 2019 (update requires Cumulative Update (CU) 8 or CU 7).
- Exchange Server 2016 (update requires CU 19 or CU 18).
- Exchange Server 2013 (update requires CU 23).
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update).
When installing the security updates manually, make sure that the patches are installed with administrative user rights. All necessary actions are described in this Microsoft document and in the document Upgrade Exchange to the latest Cumulative Update.
If the Exchange Server cannot be patched immediately, the Microsoft document Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 can be used to take temporary mitigation to reduce the risk of an attack.
Sites for more information are also:
- Remediation Steps for the Microsoft Exchange Server Vulnerabilities from Palo Alto Networks
- Protecting on-premises Exchange Servers against recent attacks von Microsoft
- This discussion at spiceworks.com, this crowdstrike site and this site
The information here is as of March 13, 2021. It is important to emphasize that it is not enough to patch the Exchange instances to eliminate the threat, but to go through the subsequent step. Maybe it will help you.
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
Cookies helps to fund this blog: Cookie settings